In many organisations, cybersecurity is still seen as a technical domain. Something owned by IT, driven by tools, and addressed when necessary. But under NIS2, that perspective no longer holds.
In our previous article on GRC in Belgium and how organisations maintain oversight, we explored how companies are adapting to an increasingly complex regulatory and threat landscape. One thing became clear: cybersecurity is no longer just about protection; it has become a matter of governance.
To make this concrete, we are breaking down NIS2 into six key pillars that define a resilient cybersecurity strategy:
Each of these pillars plays a critical role in strengthening organisational resilience.
This article focuses on IDENTIFY, the pillar that provides the visibility required to make every other security decision meaningful.
And within that visibility, one element plays a central role: identity. Because ultimately, understanding your environment is not just about systems and data; but about knowing who and what interacts with them.
Before an organisation can protect, detect or respond, it must first understand its environment.
IDENTIFY is the function that transforms a complex, often fragmented landscape into a structured and actionable overview.
It answers fundamental questions such as:
Without clear answers to these questions, cybersecurity remains based on assumptions rather than facts.
👉 You cannot protect what you do not understand.
When organisations think about IDENTIFY, the focus often goes to assets: servers, applications, data and infrastructure.
But there is another dimension that is just as critical: identity.
Every interaction within your environment is tied to an identity:
IDENTIFY therefore does not only map what exists, but also who and what interacts with it.
This makes identity a crucial layer in building a complete and accurate picture of your organisation.
👉 Visibility is not just about assets. It is about access.
One of the key shifts introduced by NIS2 is scope. IDENTIFY is no longer limited to traditional IT environments. It extends across:
It also goes beyond organisational and geographical boundaries. Shared platforms, international tenants and outsourced services all introduce dependencies that must be understood and documented.
This includes:
Because from a risk perspective, ownership is less relevant than impact.
👉 If it can affect your continuity, it belongs within your scope.
IDENTIFY is not just about creating an inventory.
It is about transforming information into insight.
This includes:
Crucially, identity plays a key role here as well.
Because risks are often not only tied to systems, but to how access is granted, used and managed.
👉 By combining asset visibility with identity insight, organisations move from fragmented knowledge to a structured, risk-based understanding.
These domains not only map assets and risks, but also define how identities and access are understood across the organisation.
Organisations must maintain a complete inventory of their assets: hardware, software, data, users, cloud platforms, OT components and external systems.
This goes beyond listing assets. It includes mapping how they interact, understanding dependencies and identifying what is mission-critical.
Without this foundation, every security decision becomes guesswork.
IDENTIFY also defines how cybersecurity is structured across the organisation.
This includes policies, responsibilities and the translation of regulatory requirements into day-to-day operations.
Clear governance reduces ambiguity and ensures that security is applied consistently.
Risk assessment brings context to visibility.
By analysing threats, vulnerabilities, potential impact and likelihood, organisations gain a clear understanding of where their real risks lie.
This ensures that efforts are focused where they matter most.
Once risks are identified, organisations must decide how to handle them.
This includes defining risk appetite, prioritising actions and embedding risk-based decision-making into the organisation.
A clear strategy ensures alignment between technical controls and business objectives.
Modern organisations rely heavily on external partners, suppliers and service providers.
IDENTIFY therefore extends beyond internal systems to include the broader ecosystem.
Because ultimately, Your security is only as strong as the weakest link in your chain.
In practice, many organisations struggle with the IDENTIFY pillar. Common challenges include:
These gaps make it difficult to prioritise security efforts and increase the likelihood of blind spots.
👉 In cybersecurity, blind spots are where risk accumulates.
A strong IDENTIFY function provides clarity, structure and direction.
Organisations aligned with NIS2 typically:
In doing so, they create a foundation that supports every other cybersecurity function.
👉 When visibility is clear, decisions become easier and more effective.
At its core, IDENTIFY is about clarity. Not just knowing what exists, but understanding how everything connects: from assets and systems to identities and access.
In a landscape defined by complexity and interdependence, assumptions are no longer enough.
The organisations that succeed are not those with the most tools, but those with the clearest understanding of their environment.
That clarity is what turns cybersecurity from reactive effort into controlled strategy.
⏭️ Up Next: PROTECTIf IDENTIFY gives you a clear understanding of your organisation's assets, identities and dependencies; PROTECT is where you turn that insight into action. In our next GRC article, we will explore how to strengthen your security posture through concrete measures such as access control, endpoint security and network segmentation. Because once you know what matters most, the next step is making sure it is properly secured. |
At Easi, we help organisations move from fragmented visibility to a structured understanding of their environment.
This includes:
Gaining visibility is only the first step. Turning it into action is what drives real resilience.
👉 Discover more about our GRC services, including NIS2:
https://easi.net/en/services/security/governance-risk-and-compliance.
👉 Get in touch for a 60-min NIS2 scope-check:
https://easi.net/en/services/security/governance-risk-and-compliance/NIS2-scope-check